Ron Johnson – Washington
quote from Ron: “all of us have worked on our junior lawyer merit badges over the past ten years”. UW senior leadership has been working hard on the issues of preserving electronic records – we don’t do particularly well when it’s not a big case. We’re threatened with suits almost every day for something. Learned a lot about new rules for civil procedures – spoliation is a new concept about failure to preserve evidence. There’s a presumption that you’re hiding something and that can lead to penalties.
Ron cites some cases where when evidence can’t be produced the judges instruct to presume that the missing records would have been harmful to the defendant’s case. Think about the world where opposing counsel uses these tactics regularly against universities. It’s a challenge just to know where to look for evidence – and judges won’t accept not knowing.
Ron urges universities to adopt common practices for these kinds of cases. We need reasonable structures for electronic records retention.
Dave Lambert – Georgetown
Georgetown has a unique risk profile, being private and Jesuit, and existing in the DC political environment. How does this play out in the safety and facilities space and the IT organization’s support for that?
Has roots in the response to Y2K. That was the first business continuity planning they’d done. By 9/11 that had turned out to be very useful. By early 2002 had created a new cabinet position – VP for University Safety. As they paid more attention to safety systems they became aware of what bad shape they were in. The infrastructure had migrated from analog to a digital base, but the units didn’t always have the IT resources to manage that well. Responsibility for those systems got assigned to central IT. They created an application team and developed a physical safety and facilities support team. They’re a little less than two years into that process. Brought expertise into the institution who had background in safety and complex enterprise systems. Used a head hunter to recruit, but they could only identify two people in the country with the right skills. Hired one of them from Johns Hopkins. Current projects include command center infrastructure, notifications center, executive communications support (including requiring senior executives to carry satellite phones), repairing emergency phone system, upgrading and expanding door control system, expanding and updating an on-campus camera system, a PA system deployment plan, survivable web planning (including reengineering of DNS to support it), review of fire alarm management system, campus card system, smart perimeter control, and more.
Staffing has been a challenge – finding people with the right skills. There is not a professional community who have been working in this area that can handle the level of demand. New partnerships and constituencies with new cultures and sensitivities.
Joel Smith – Carnegie Mellon
Structuring communications in emergencies. Things came up from faculty in social sciences (including Baruch Fischhoff) – don’t focus so much on how to get message to everyone, but more on making sure the message has the desired effect. People will react to messages in ways you don’t expect. Important to do testing. Need not only subject experts, but decision analysts, and social scientists. There’s a relevant article here. Public relations vs. public safety. Public relations role is to assure people ahead of time that they’ll get good information. Public health or safety folks get out the messages about what to do. What happened in Katrina was those roles got confused.
Erv Blythe – VA Tech
Summing up lessons learned.
400 professional staff and faculty in IT organization. Every person and function was touched and stressed in ways unanticipated. e.g. Who was in that building (not who was scheduled to be)? Could they mine telephone and network logs? Can you find the social networks that connected people in that building? What information can IT provide to aid in biometric identification of victims? Kinds of info not kept in typical enterprise systems.
Now asking with every project – are there ways to leverage this project to improve safety and response? Can we see ways in which this project can aid in mitigation and recovery? But need to remind ourselves not to consider everything in the context of this particular event.
Physical safety and security is one of the things that CIOs need to be responsible for.
These were brutal and horrible events. Every VT IT person will go to every length to share whatever information they have learned from these lessons.
Oren Sreebny 